The Financial Stability Board ("FSB"), an international organisation that monitors and makes recommendations about the global financial system, has published a report on financial sector cyber security following the results of a "stocktake". The FSB is chaired by Mark Carney, Governor of the Bank of England.
The report was delivered at the meeting between G20 Finance Ministers and Central Bank governors in Washington DC on 14 October 2017. The FSB had been charged by the G20, in March 2017, with carrying out a stocktake with the aim of enhancing cross border co-operation.
Background to report
The G20 is concerned about the increasing potential for disruption that could be caused to financial services and international financial stability due to cyber attacks. The risk is a challenging one to face as financial institutions grapple with evolving technology, increased connectivity between financial institutions and external parties and determined and sophisticated criminals. Since the FSB were commissioned to carry out this analysis there have been at least two widespread global cyber attacks, with the WannaCry program in May and the ransomware that struck just a month later in June, dubbed "NotPetya" by some.
Authorities across the globe have taken regulatory and supervisory steps to facilitate both the mitigation of cyber risk by financial institutions as well as their effective response to, and recovery from, cyber attacks.
In revealing its findings, the FSB published two reports: (a) a summary report and (b) a detailed analysis of the results of the stocktake. The reports were guided by survey responses of FSB member jurisdictions (24 in total) and international bodies.
The key findings of the reports include:
- All FSB member jurisdictions are in favour of drawing upon a small body of existing national or international guidance or standards when developing domestic regulatory or supervisory regimes for the financial sector;
- Two thirds of reported regulatory schemes adopt a targeted approach to cyber security whilst the remainder address operational risk more broadly;
- Some elements commonly covered by regulatory schemes targeted to cyber security include risk assessment, regulatory reporting, the role of a company's board, third-party interconnections, system access controls, incident recovery, testing and training;
- Jurisdictions remain committed to developing regulations and guidance. Almost three quarters of the jurisdictions report plans to issue new regulations, guidance or supervisory practices that address cyber security for the financial sector within the next year.
Private sector participants to the reports noted the importance of integrating security with business operations, as well as the significance of communication with a company's board.
Fighting cyber crime in the future
In an aggressive and constantly evolving environment, governments and companies need to continue to pool resources and collaborate to address the threat posed by cyber attacks. It is concerning that only two thirds of reported regulatory schemes covered in the FSB report adopt a targeted approach to cyber security and it suggests that more proactive work needs to be undertaken by some jurisdictions. The connections between financial institutions across borders underlines the importance of a uniform approach. If some jurisdictions suffer cyber attacks as a result of passive, hands off policies, the consequences are likely to be far reaching across the globe.
Regulation is unlikely to provide all the answers for this complex and developing threat to businesses. Comprehensive planning to deal with the practical and legal issues is increasingly important.